Bug 2115690 (CVE-2022-31118)

Summary: CVE-2022-31118 nextcloud-server: missing brute force protection on cloud federation sharing
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ce, ichavero, james.hogarth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud-server 22.2.9, nextcloud-server 23.0.6, nextcloud-server 24.0.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-31 21:33:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115706, 2115708, 2115710, 2115711, 2115712, 2115713, 2115714, 2115715, 2115716, 2115718, 2115719, 2115720, 2115721    
Bug Blocks: 2115633    

Description TEJ RATHI 2022-08-05 07:09:25 UTC 
Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq
https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018
Comment 1 TEJ RATHI 2022-08-05 07:20:48 UTC 
Created nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2115706]


Created nextcloud:nextcloud-18/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115708]
Affects: fedora-all [bug 2115715]


Created nextcloud:nextcloud-19/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115710]
Affects: fedora-all [bug 2115716]


Created nextcloud:nextcloud-20/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115711]
Affects: fedora-all [bug 2115718]


Created nextcloud:nextcloud-21/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115712]
Affects: fedora-all [bug 2115719]


Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115713]
Affects: fedora-all [bug 2115720]


Created nextcloud:nextcloud-stable/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115714]
Affects: fedora-all [bug 2115721]
Comment 2 Product Security DevOps Team 2022-08-31 21:33:29 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.